Cloudflare Credentials Stolen in Web Developer Chrome Extension Hack

In July, it became known – and noticeable to users – that the popular Chrome Web Developer extension had been compromised.  Suddenly malware ads that were being served up in places such as the Google homepage and Google search results, where there obviously shouldn’t be any ads of this type.  The developer issued a fix later that day, and many assumed that the developer updating the extension to remove the malicious code was enough.  But it seems the hackers had a much bigger target than simple malware – the Cloudflare credentials of everyone who used the Web Developer extension.

The Web Developer extension wasn’t the only one compromised for Cloudflare credentials, although it is the most popular one for site owners and SEOs to have installed.  Multiple other extensions were also compromised via similar phishing attacks, according to Wordfence, with a total of 4.8 million users affected.  The affected extensions:

  • Web Developer – Versions 0.4.9 affected
  • Chrometana – Version 1.1.3 affected
  • Infinity New Tab – Version 3.12.3 affected
  • CopyFish  – Version 2.8.5 affected
  • Web Paint – Version 1.2.1 affected
  • Social Fixer 20.1.1 affected
  • TouchVPN appears to have been affected but the version is unclear
  • Betternet VPN also appears to have been affected but no version was provided

For those with the above extensions installed, you need to change your Cloudflare password(s) immediately.  You also need to revoke and/or invalidate the API keys as well.

On the positive side, there are no known sites compromised via Cloudflare at this time, but those credentials could be used for a future attack.  So those keys and passwords still need to be changed.

It is also a reminder for Chrome users to periodically go through their Chrome extensions and delete or disable any extensions that are not being used on a daily basis, to reduce the likelihood that one is compromised while you are using Chrome.

For a much more detailed analysis of the original attacks, read the threat analysis on Proof Point.

The following two tabs change content below.

My Twitter profileMy Facebook profileMy Google+ profileMy LinkedIn profileMy Twitter profileMy Facebook profileMy Google+ profileMy LinkedIn profile